Reading about Google's security today reminded me of an vulnerability I discovered in the @twitterapi a while ago. October 4th to be exact. The response was a typical but as of this writing the replay attack vulnerability has not been fixed.

Replay attack
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution.Notification

My email to security@twitter.com on October 4th and their response.
A single OAuth request can currently be made repeated until the timestamp expires. For example the below url worked in a browser repeatedly.

What do all of the many Twitter mashups hanging around on the internet have in common? Broken avatars! At the rate users upload new avatars every site will at some point have outdated profile information. I have come up with a simple and elegant method of keeping profiles up to date with very little wasted computer cycles.

The basic idea is to bind an event handler onto JavaScript error events with @jQuery. This handler will perform two actions. Fist it will replace the image source with a temporary static link to the users avatar so the visitor will see a working image. Second the handler will ping the server with the screen_name of the missing avatar so the persistent storage can be updated.

In your HTML load jQuery and use selectors to find all image elements with a class of twitter-avatar. The error handler bound to all the selected image elements updates the image source and pings the server.

The second file is in PHP and uses TwitterOAuth but can be in any programming language. …

I have enjoyed being in Seattle but have decided to take a job with @Answerly and move to San Francisco. Answerly is a @YCombinator startup building some awesome stuff and I am very excited to be joining the team. While I can't go into details yet, be sure to follow me (@abraham) on @Twitter to see my latest startup experience unfold. I love working with lots of social data so I'm sure there will be some of that mixed in. :-P

When am I moving? Well pretty much immediately. I will be in Portland for Thanksgiving before driving down I-5 early December. If you happen to be long the route drop me a note and maybe I will drop in for a bit.

5. Abraham Williams: Copy-Paste Hacking Williams is a developer and self-styled “hacker advocate.”
Williams, like his fellow experts, admits that PHP “has a short route to minimum viable product.” He also says that the readily available resources online can be great and terrible at the same time.
“There is a huge amount of code laying around on the Internet ready to copy and paste to hack together. On the flip side, the low barrier of entry results in a lot of crappy code that you really don’t want running on your server.”
He also says one of his favorite PHP apps is the open-source microblogging platform StatusNet. (http://status.net/).

@alain94040 had an experience with some of @Google's terrible user experience trying to access his @YouTube account. While Google definitely needs to improve their sign in system, (which they are doing) Alain's example is a perfect storm of everything going wrong.